Using Self-Signed Certificates (Sun Java System Message Queue 3.7 UR1 Administration Guide)

Sun Java System Message Queue 3.7 UR1 Administration Guide

Using Self-Signed Certificates

To use an SSL-based connection service over TCP/IP, you generate a public/private key pair using the Key Tool utility (imqkeytool). This utility embeds the public key in a self-signed certificate that is passed to any client requesting a connection to the broker, and the client uses the certificate to set up an encrypted connection. This section describes how to set up an SSL-based service using such self-signed certificates.

For a stronger level of authentication, you can use signed certificates verified by a certification authority. The use of signed certificates involves some additional steps beyond those needed for self-signed certificates: you must first perform the steps described in this section and then follow them with the additional ones in Using Signed Certificates.

Message Queue's support for SSL with self-signed certificates is oriented toward securing on-the-wire data, on the assumption that the client is communicating with a known and trusted server. The following procedure shows the steps needed to set up an SSL-based connection service to use self-signed certificates. The subsections that follow describe each of these steps in greater detail.

To Set Up an SSL-Based Connection Service Using Self-Signed Certificates

Generate a self-signed certificate.

Enable the ssljms, ssladmin, or cluster connection service in the broker.

Start the broker.

Configure and run the client.

This step applies only to the ssljms connection service and not to ssladmin or cluster.

Generating a Self-Signed Certificate

Run the Key Tool utility (imqkeytool) to generate a self-signed certificate for the broker. (On UNIX® systems, you may need to run the utility as the superuser (root) in order to have permission to create the key store.) The same certificate can be used for the ssljms, ssladmin, or cluster connection service.

Enter the following at the command prompt:

imqkeytool -broker

The Key Tool utility prompts you for a key store password:

   Generating keystore for the broker ...
   Enter keystore password:

Next, the utility prompts you for information identifying the broker to which this certificate belongs. The information you supply will make up an X.500 distinguished name. Table 7–5 shows the prompts and the values to be provided for each. Values are case-insensitive and can include spaces.

Table 7–5 Distinguished Name Information Required for a Self-Signed Certificate


Prompt	X.500 Attribute	Description	Example
`What is your first and last name?`	`commonName` (`CN`)	Fully qualified name of server running the broker	`mqserver.sun.com`
`What is the name of your organizational unit?`	`organizationalUnit` (`OU`)	Name of department or division	`purchasing`
`What is the name of your organization?`	`organizationName` (`ON`)	Name of larger organization, such as a company or government entity	`My Company, Inc.`
`What is the name of your city or locality?`	`localityName` (`L`)	Name of city or locality	`San Francisco`
`What is the name of your state or province?`	`stateName` (`ST`)	Full (unabbreviated) name of state or province	`California`
`What is the two-letter country code for this unit?`	`country` (`C`)	Standard two-letter country code	`US`

When you have entered the information, the Key Tool utility displays it for confirmation. For example:

   Is CN=mqserver.sun.com, OU=purchasing, ON=My Company, Inc.,
   L=San Francisco, ST=California, C=US correct?

To accept the current values and proceed, enter yes; to reenter values, accept the default or enter no. After you confirm, the utility pauses while it generates a key pair.

Next, the utility asks for a password to lock the key pair (key password). Press Return in response to this prompt to use the same password as the key password and key store password.

Note –

Remember the password you specify. You must provide this password when you start the broker, to allow the broker to open the key store. You can store the key store password in a password file (see Password Files).

The Key Tool utility generates a self-signed certificate and places it in Message Queue’s key store. The key store is located in a directory that depends upon the operating system, as shown in Appendix A, Platform-Specific Locations of Message Queue^TM Data.

The following are the configurable properties for the Message Queue key store for SSL-based connection services:

imq.keystore.file.dirpath: The path to the directory containing the key store file. For the default value, see Appendix A, Platform-Specific Locations of Message Queue^TM Data.
imq.keystore.file.name: The name of the key store file.
imq.keystore.password: The key store password.

In some circumstances, you may need to regenerate a key pair in order to solve certain problems: for example, if you forget the key store password or if the SSL-based service fails to initialize when you start a broker and you get the exception

java.security.UnrecoverableKeyException: Cannot recover key

(This exception may result if you provided a key password different from the key store password when you generated the self-signed certificate.)

To Regenerate a Key Pair

Remove the broker’s key store, located as shown in Appendix A, Platform-Specific Locations of Message Queue^TM Data.

Run imqkeytool again to generate a new key pair, as described above.

Enabling an SSL-Based Connection Service

To enable an SSL-based connection service in the broker, you need to add ssljms (or ssladmin) to the imq.service.activelist property.

To Enable an SSL-Based Service in the Broker

Open the broker’s instance configuration file.

The instance configuration file is located in a directory identified by the name of the broker instance (instanceName) with which the configuration file is associated (see Appendix A, Platform-Specific Locations of Message Queue^TM Data):
```
.../instances/instanceName/props/config.properties
```

Add an entry (if one does not already exist) for the imq.service.activelist property and include the desired SSL-based service(s) in the list.

By default, the property includes the jms and admin connection services. Add the SSL-based service or services you wish to activate (ssljms, ssladmin, or both):
```
imq.service.activelist=jms,admin,ssljms,ssladmin
```
Note –
The SSL-based cluster connection service is enabled using the imq.cluster.transport property rather than the imq.service.activelist property; see Connecting Brokers.

Save and close the instance configuration file.

Starting the Broker

Start the broker, providing the key store password. You can provide the password in either of two ways:

Allow the broker to prompt you for the password when it starts up:
```
   imqbrokerd
   Please enter Keystore password:
```
Put the password in a password file, as described in Password Files. Then set the property imq.passfile.enabled = true and do one of the following:
- Pass the location of the password file to the imqbrokerd command:
```
imqbrokerd -passfile /passfileDirectory/passfileName
```
- Start the broker without the -passfile option, but specify the location of the password file using the following two broker configuration properties:
```
imq.passfile.dirpath=/passfileDirectoryimq.passfile.name=passfileName
```

Note –

When you start a broker or client with SSL, you may notice a sharp increase in CPU usage for a few seconds. This is because the JSSE (Java Secure Socket Extension) method java.security.SecureRandom, which Message Queue uses to generate random numbers, takes a significant amount of time to create the initial random number seed. Once the seed is created, the CPU usage level will drop to normal.

Configuring and Running an SSL-Based Client

The procedure for configuring a client to use an SSL-based connection service differs depending on whether it is an application client (using the ssljms connection service) or a Message Queue administrative client such as imqcmd (using the ssladmin connection service.)

Application Clients

For application clients, you must make sure the client has the following .jar files specified in its CLASSPATH variable:

imq.jar

jms.jar

If you are using a version of the Java 2 Software Development Kit (J2SDK) earlier than 1.4, you must also include the following Java Secure Socket Extension (JSSE) and Java Naming and Directory Interface (JNDI) .jar files:

jsse.jar

jnet.jar

jcert.jar

jndi.jar

(It is not necessary to include these files if you are using J2SDK 1.4 or later, which has JSSE and JNDI support built in.)

Once the CLASSPATH files are properly specified, one way to start the client and connect to the broker’s ssljms connection service is by entering a command like the following:

java -DimqConnectionType=TLS clientAppName

This tells the connection to use an SSL-based connection service.

Administrative Clients

For administrative clients, you can establish a secure connection by including the -secure option when you invoke the imqcmd command: for example,

imqcmd list svc -b hostName:portNumber -u adminName -secure

where adminName is a valid entry in the Message Queue user repository. The command will prompt you for the password. (If you are using a flat-file repository, see Changing the Default Administrator Password).

Listing the connection services is a way to verify that the ssladmin service is running and that you can successfully make a secure administrative connection, as shown in the following output:

Listing all the services on the broker specified by:

Host                 Primary Port
localhost            7676

Service Name     Port Number       Service State
admin            33984 (dynamic)   RUNNING
httpjms          -                 UNKNOWN
httpsjms         -                 UNKNOWN
jms              33983 (dynamic)   RUNNING
ssladmin         35988 (dynamic)   RUNNING
ssljms           dynamic           UNKNOWN

Successfully listed services.